In this episode, Partner Richard Wells and Senior Associate Suzy McMillan from MinterEllisonRuddWatts’ Corporate and Commercial team discuss the critical issue of ransomware attacks, their impact on organisations, and the key legal considerations involved in responding to such threats.
[01:24 – 02:28] Richard and Suzy observe that ransomware attacks have become a significant concern for organisations of all sizes in recent times, emphasizing the legal and operational challenges they present.
[02:29 – 04:02] Suzy explains that a ransomware attack involves the use of malicious software to encrypt an organisation's data, restricting access to critical IT systems until a ransom is paid. She highlights the growing trend of threat actors (TAs) use of tactics like exposing sensitive information to exert additional pressure on organizations.
[04:03 – 06:12] Richard and Suzy talk through initial steps in responding to a ransomware attack, such as activating incident response plans, forming crisis management teams and engaging experts such as cybersecurity professionals and negotiators. Richard highlights the importance of consulting cyber insurers before taking any specific actions and also third parties such as the Police.
[07:03 – 12:10] Richard and Suzy consider the practical, legal and moral implications of paying ransomware demands, including unreliable recovery, potential reputational damage, and the ethical dilemma of funding criminal activities.
[12:30 – 14:03] Richard considers the New Zealand Government’s stance on ransom payments in comparison to approaches taken in other jurisdictions.
[14:04 – 16:28] Suzy then discusses legal developments in cyber incident reporting in New Zealand, including the introduction of regulations by the RBNZ and FMA, requiring various financial institutions to report the occurrence of cyber incidents.
[16:30 – 19:13] Suzy and Richard compare New Zealand’s framework with Australia’s mandatory requirements for reporting ransomware payments, highlighting the establishment of Australia’s Cyber Incident Review Board as a collaborative approach to resilience against such threats.
Information in this episode is accurate as at the date of recording, 25 November 2024.
Please contact Richard Wells, Suzy McMillan or our Corporate and Commercial team if you need legal advice and guidance on any of the topics discussed in the episode.
Please get in touch to receive an episode transcript. Please don’t forget to rate, review or follow MinterEllisonRuddWatts wherever you get your podcasts.
You can also email us directly at [email protected] and sign up to receive technology updates via your inbox here.
